[redhat-lspp] LSPP Development Telecon 11/28/2005 Minutes

Stephen Smalley sds at tycho.nsa.gov
Tue Nov 29 15:13:16 UTC 2005 

On Tue, 2005-11-29 at 09:50 -0500, Steve Grubb wrote:
> I've been thinking about this problem since its not being solved. I was hoping 
> to discuss this idea. My concern is that strcmp will not be accepted as its 
> too slow. I was thinking that if we could get it down to an "and" operation 
> and a compare, it will be high performance.

I wouldn't rule it out without measuring it first.  I suspect that it
will end up being a wash because we already have the context strings at
this point (collected by the audit system), so it is not significantly
faster to map those strings to integer ids and compare the integers than
to just compare the strings directly.  In fact, it will be slower.

> > 1) pass the filter rule to SELinux to compile to an internal form (this
> > _may_ include conversion to an integer id value for the role, but that
> > isn't the same as the SID), and later call SELinux when the filter rule
> > needs to be evaluated, or
> 
> How easy is this? Is this a performance hit? It will affect every single 
> syscall.

I think it will end up being more expensive than the second approach.

> > 2) retain the rule with the role still in string form, and only use
> > SELinux to split security contexts into components as needed to compare
> > the strings.
> 
> I'm thinking this is not going to be acceptable due to performance. This 
> affects every single syscall.

As I said, I'd suggest trying it first.  It is certainly easier to
implement, and we can then revisit it if we find that it is too costly.
Not clear it truly affects every single syscall anyway; these filters
should be selective.

> The basic idea that I was thinking about was to loosely add meaning to the SID 
> - a bit map perhaps. Not a strict definition of say bits 4-8 will always be 
> the role...but a loose definition where the compiler looks to see how many 
> roles are actually called for and how many bits it takes to express that. 
> Then an interface would be needed to get that bit map. auditctl code would 
> query selinux to see what the role definition is. The kernel would then "and" 
> with bit mask, shift bits, and compare to see if its a role we want.
> 
> Whatever we do needs to be high performance.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list